VPN BETWEEN ZYXEL ATP200 AND FRITZBOX! 7590

Options
Good morning at all,
I'm trying to create an IPSec VPN Tunnel between an ATP200 and Fritzbox 7590 without success.
Does anyone did this VPN configurantion and can help me?

On the Fritzbox the error is:

Errore IKE 0x203D --> "phase 1 sa removed during negotiation"

The ATP Debug log is atached as "TESTVPN_LOG.txt"


Thank you so much!


«13

All Replies

  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Leandro85,
    From the logs, it look like FRITZ!Box 7590 configured as an IPSec VPN client not Site-to-Site VPN.
    It send request with Aggressive mode/PSK/mode-config.

    So you can try to change the VPN connection rule on your ATP200 to enable mode-config settings,


  • Leandro85
    Leandro85 Posts: 5
    Friend Collector
    edited March 2022
    Options
    Thank you for your reply :)
    I've tryied with your suggestion but without success.
    The firewall log is atached

    Those are the ATP's configurations






    This is the Fritzbox VPN Configuration:


    Thanks a lot!!!
    Best regards
    Leandro
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    If you can consider professional support...
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Leandro85
    You can have a try to change VPN connection setting.(Phase 2)
    > Configure as remote Access(Server Role)
    > Configure local policy as "192.168.0.0/24".
  • zyman2008
    zyman2008 Posts: 199  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Leandro85,
    From the logs said, the VPN Phase 1 process is success but Phase 2 fail cause by proposal is mismatch.


    Then I search google to check what algorithms Fritzbox can support.
    The help say "Perfect Forward Security(PFS) is not support".


    You can remove the 
    Perfect Forward Security (PFS) setting in VPN Connection rule on ATP and try again.

  • Kepir
    Kepir Posts: 16  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Hi to all,
    I have exact the same problems . I have a USG310 ServerSide and a Fritzbox as VPN-Client . Everything is configerued like in the Posts before.
    The Fritzbox Log is : 
    VPN-Fehler: ATA154, IKE-Error 0x2026

  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Both gateway and connection do not enable PFS on Zyxel.
  • Kepir
    Kepir Posts: 16  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    Thank you @mMontana,
    Sorry for delay .
    I still have the same problem.
    Here are my Settings 
  • mMontana
    mMontana Posts: 1,302  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited July 2022
    Options
    Disable for both Gateway and connection Key Group. Should report "none"
    IMVHO none of the three proposal should be used, I'd start with an AES128/SHA1. I'd disable also "narrowed".
  • Kepir
    Kepir Posts: 16  Freshman Member
    First Anniversary 10 Comments Friend Collector
    Options
    The Proposals are changed but the Gateway Key Group cannot be none . Only DH1,DH2,DH5,DH14

Security Highlight